b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n                      Letter Report:\n\n        Review of Customs and Border Protection\xe2\x80\x99s\n       Certification of Automated Targeting System\xe2\x80\x93\n                  Passenger Enhancements\n\n\n\n\nOIG-09-44                                       March 2009\n\x0c                                                                  Office of Inspector General\n\n                                                                  U.S. Department of Homeland Security\n                                                                  Washington, DC 20528\n\n\n\n\n                                           March 23, 2009\n\n\nMEMORANDUM FOR: \t                 The Honorable Elaine C. Duke\n                                  Under Secretary for Management\n\n\nFROM: \t                           Richard L. Skinner\n                                  Inspector General\n\nSUBJECT: \t                        Letter Report: Review of Customs and Border Protection\xe2\x80\x99s\n                                  Certification of Automated Targeting System\xe2\x80\x93Passenger\n                                  Enhancements (OIG-09-44)\n\nWe reviewed the certification by Customs and Border Protection (CBP) pertaining to\nenhancements of the Automated Targeting System-Passenger (ATS-P) according to\ncongressional requirements for the FY 2009 funding for such enhancements.1 CBP\xe2\x80\x99s\ncertification is to describe how ATS-P enhancements will improve targeting while fully\ncomplying with statutory requirements for handling and securing personal data.\nCongress requires CBP to certify that such enhancements comply with all applicable\nlaws, including privacy-protection laws, and that the Office of Inspector General (OIG)\nreview the certification.\n\nWe are unable to determine whether CBP properly certified the proposed ATS-P\nenhancements based on the limited information CBP provided for our review. CBP did\nnot provide sufficient information about the enhancements or the applicable statutory\nrequirements to enable us to determine whether the proposed enhancements comply with\nthe requirements for handling and securing personal data. Information that would have\naided in our review includes documents such as a current risk assessment, security testing\nand evaluation plan, or a draft, revised privacy impact assessment (PIA). These\ndocuments would have provided an additional level of assurance that CBP is fully\nconsidering the impact of the proposed enhancements.\n\nHowever, after reviewing CBP\xe2\x80\x99s Operational Program Enhancements Plan, the controls\noutlined in the August 2007 PIA, and the additional supporting documentation provided,\n\n1\n Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009, P.L. 110-329,\nSeptember 30, 2008; Explanatory Statement, 154 Cong. Rec. H9434, H9741, 9794 (daily ed.,\nSeptember 24, 2008); House Committee Report 110-862, p. 28, 30, 37.\n\n\n                                                   1\n\n\x0cwe do not foresee any significant risks to the personal data being collected and stored\nwithin ATS-P brought about by the proposed system enhancements. Additionally, in\nOctober 2007, we reported that system controls and internal processes were in place to\nprotect personally identifiable information maintained in the ATS-P database.2\n\nWe are not making any recommendations in this report. Should you have any questions,\nplease call me, or your staff may contact Frank Deffer, Assistant Inspector General,\nInformation Technology Audit, at (202) 254-4100.\n\nBackground\n\nThe Automated Targeting System (ATS) is the cornerstone for all CBP targeting efforts.\nATS-P, one of the databases that make up ATS, is deployed at all ports-of-entry (air,\nship, and rail) and has been used in evaluating (\xe2\x80\x9ctargeting\xe2\x80\x9d) passengers before they arrive\nin the U.S. since 1999. ATS-P contains most of the personally identifiable information\n(PII) stored in ATS and used in CBP\xe2\x80\x99s targeting efforts.3 PII is collected directly from\ncommercial carriers in the form of a passenger name record, which is then used to target\nsuspicious individuals.4 ATS-P also maintains various real-time information from other\nCBP systems and law enforcement databases.\n\nThe Department of Homeland Security (DHS) has a duty to protect PII from loss and\nmisuse. The loss or compromise of ATS data can have severe consequences, affecting\nnational security, U.S. citizens, and the department\xe2\x80\x99s missions. There is substantial\npublic and foreign interest in DHS\xe2\x80\x99 collection and use of ATS data and the potential\nprivacy implications in the event of disclosure. The privacy implications include:\n\n    \xe2\x80\xa2    Potential threats to personal information during transmission.\n    \xe2\x80\xa2    Violations of passenger rights.\n    \xe2\x80\xa2    Unauthorized access to PII stored within ATS, especially ATS-P.\n    \xe2\x80\xa2    Personal identity theft.\n\nReporting Requirements\n\nPursuant to congressional requirements accompanying the FY 2009 Consolidated\nSecurity, Disaster Assistance, and Continuing Appropriations Act, the OIG must review\nCBP\xe2\x80\x99s certification of the proposed ATS-P enhancements and report on it to the\n\n\n2\n  OIG-08-06, Better Administration of Automated Targeting System Controls Can Further Protect\nPersonally Identifiable Information (October 2007).\n3\n  PII includes information about an individual\xe2\x80\x99s education, financial transactions, medical history, criminal\nor employment history, and other information that can be used to distinguish or trace an individual\xe2\x80\x99s\nidentity, such as their name, Social Security number, date and place of birth, mother\xe2\x80\x99s maiden name, and\nbiometric records, including fingerprints.\n4\n  Passenger name records contain a significant amount of data about passengers and crew members entering\nor departing the U.S., including an individual\xe2\x80\x99s name, address, dates of travel, contact information, frequent\nflier and benefit information, all available payment and billing information, travel itinerary, ticketing\ninformation, baggage information, passenger and crew manifests, and immigration control information.\n\n\n                                                      2\n\n\x0cAppropriations Committees.5 Before FY 2009 appropriated funds are obligated for any\nATS-P enhancements, Congress requires CBP to certify that such enhancements comply\nwith all applicable laws, including privacy protection laws, and that the OIG reviewed its\ncertification.6\n\nOur conclusion was based on a review of information provided by CBP with its\ncertification letter. Although CBP certified that proposed enhancements would comply\nwill all applicable privacy laws, it did not certify whether the enhancements would\ncomply with all laws, not just privacy laws, as required. Further, we were not provided\nwith sufficient information to determine whether we agree with CBP\xe2\x80\x99s certification of the\nproposed enhancements.\n\nPrior Audit Results\n\nFrom March 2007 through July 2007, we evaluated whether DHS was protecting the PII\ncollected, transmitted, and stored within ATS. In October 2007, we reported that CBP\nhad implemented robust operational and system security controls to protect the PII\ncontained within ATS.7 Those controls, to mitigate the privacy risks identified, were\noutlined in the Privacy Impact Assessment for the Automated Targeting System, dated\nNovember 22, 2006. CBP was effectively employing these controls in protecting\nindividuals\xe2\x80\x99 PII. Other control measures, including those for granting access to system\ndata, providing users with computer security and privacy awareness training, and\ndeploying network protection mechanisms, contributed in protecting the PII captured and\nretained in the ATS-P database. During this audit, we did not evaluate other management\nor administrative-type controls that might be employed to fully protect PII data.\n\nCertification Documentation\n\nIn December 2008, CBP requested that we review its proposed certification letter to the\nU.S. House of Representatives Committee on Appropriations, Subcommittee on\nHomeland Security. The letter incorrectly asserted that we had \xe2\x80\x9creviewed\xe2\x80\x9d CBP\xe2\x80\x99s\ncertification and \xe2\x80\x9cverified\xe2\x80\x9d that the ATS-P enhancements fully complied with applicable\nlaws, providing as support our October 2007 ATS audit report. CBP, however, had not\nprovided us with information on the ATS-P enhancements to review. Shortly thereafter,\nwe met with CBP and ATS officials to voice our concerns with the certification.\n\nAt the meeting, we requested supporting documentation for our review, including the\nmethodology used to support the enhancements, a breakdown of the specific\nhardware/software to be used in the enhancements, and the specific laws that applied to\nthe ATS-P enhancements. In January 2009, CBP provided us with a document, entitled\n\xe2\x80\x9cATS-P Operational Enhancements,\xe2\x80\x9d but did not provide any additional information\n\n5\n  Explanatory Statement, 154 Cong. Req. H9434, H9741 (daily ed. September 24, 2008); House Committee \n\nReport 110-862, p. 28, 37. \n\n6\n  Explanatory Statement, 154 Cong. Rec. at H9794; House Committee Report 110-862, p. 30, 37. \n\n7\n  OIG-08-06, Better Administration of Automated Targeting System Controls Can Further Protect\n\nPersonally Identifiable Information (October 2007)\n\n\n\n                                                 3\n\n\x0cconcerning the statutory requirements applicable to the enhancements. Uncertainty\nremains as to what security controls CBP would implement to protect PII and which laws\nare relevant to the proposed ATS-P enhancements. We asked CBP officials a second\ntime for additional information, and were provided with an updated certification letter,\nbut it did not address the issues we discussed at our December meeting or our subsequent\nrequest for additional supporting documentation.\n\nATS-P Enhancements\n\nCBP\xe2\x80\x99s updated certification letter outlines the following proposed ATS-P enhancements\nto improve its targeting methodology:\n\n      \xe2\x80\xa2\t Develop a simulation and testing environment to achieve benefits realized by a\n         similar effort deployed for CBP\xe2\x80\x99s cargo targeting system.\n      \xe2\x80\xa2\t Incorporate a refresh of existing high-availability focused technology.\n      \xe2\x80\xa2\t Convert the current ATS-P client and server application designs to a new \n\n         architecture (conversion to a Microsoft .NET architecture). \n\n      \xe2\x80\xa2\t Establish a data warehouse and reporting facility to facilitate ad hoc reporting,\n         queries, and other tasks requiring the use of depersonalized data elements.\n\nIn an effort to evaluate whether the proposed enhancements to ATS-P will affect CBP\xe2\x80\x99s\ncompliance with statutory requirements for handling and securing personal data, we first\nreviewed the privacy risks associated with maintaining the information in ATS as\ndocumented in the updated PIA (dated August 3, 2007). While we identified that those\nrisks were addressed in the updated PIA, we could not determine whether the\nenhancement of ATS-P will comply with all applicable laws, including the Privacy Act of\n1974.8 At a minimum, CBP needs to identify the specific laws that apply to the ATS-P\nenhancements.\n\nIn February 2009, we requested more detailed information supporting the proposed\nenhancements. Our request included CBP\xe2\x80\x99s security testing and evaluation plan, network\nlayout for both the data warehouse and the simulation and testing environment, and\nwhether live PII would be used in the simulation and testing environment. We also\nrequested what web-based controls would be implemented as part of the new architecture\nand whether CBP had assessed the vulnerabilities and risks that may be inherent in the\nproposed .NET architecture. Additionally, we asked whether a revised PIA had been\ndrafted.\n\nBased upon our review of the information received, we continue to have concerns in\nrelation to the ATS-P enhancements and the risks and controls that should be considered\nin association with those enhancements. For example, risks associated with the\nconversion to a Microsoft .NET platform lie in its configuration. Vulnerabilities inherent\nin any .NET architecture include custom errors, tracing data, debugging, cookie\nmanagement, and session timers. Default and/or poorly configured web-based\n\n8\n    5 U.S.C. \xc2\xa7 552a\n\n\n                                               4\n\n\x0capplications can allow attackers access to critical information about the web application,\nserver, and services, compromising assets and information.\n\nWhile we recognize that it may be necessary to upgrade the existing software platform\nbecause the current platform may no longer be supported, CBP did not provide us with a\nrisk assessment or its security testing and evaluation plan to address:\n\n\xe2\x80\xa2\t Vulnerabilities and risks associated with the security of PII in the proposed ATS-P\n   .NET architecture.\n\xe2\x80\xa2\t Storage and maintenance of ATS-P privacy information in the proposed data\n   warehouse and reporting facility.\n\xe2\x80\xa2\t Use of PII in the proposed simulation and testing environment.\n\nAdditionally, CBP did not provide us with documentation of any additional web-based\nsecurity controls being considered as a result of the proposed enhancements or a revised,\nupdated draft of the PIA. Overall, we were not provided with documentation that we\nexpected, to provide an additional level of assurance that CBP is fully considering the\nimpact of the proposed enhancements.\n\nCurrent Position\n\nBased on our review of the ATS-P Operational Enhancements Program Plan, the\nAugust 2007 ATS PIA, our prior audit work, and supporting documentation provided, we\ndo not foresee that the proposed enhancements would pose significant changes to the\ninternal control processes CBP currently has in place to protect ATS-P privacy data.\nThough we cannot determine whether the impact of the proposed enhancements is being\nfully considered or verify that the proposed enhancements were properly certified, it is\nour opinion that CBP will ensure that the PII contained within ATS-P is secure and that\naccess is limited in accordance with applicable laws. Therefore, based on our\nunderstanding of the existing ATS-P system environment and the limited supplementary\ninformation CBP provided, we do not expect the introduction of additional significant\nrisks to the personal data being collected and stored in ATS-P once the proposed\nenhancements are implemented.\n\n*********************\nWe conducted our review from December 2008 through February 2009. We did not\nfollow generally accepted government audit standards in performing this review. We\nperformed this nonaudit service in response to a congressional request. We are providing\nour professional opinion on whether the proposed ATS-P enhancements fully comply\nwith all applicable laws as documented in CBP\xe2\x80\x99s certification\n\n\n\n\n                                             5\n\n\x0cAppendix A\nMajor Contributors to This Report\n\n\n                   Information Security Audits Division\n\n                   Edward G. Coleman, Director\n                   Barbara Bartuska, Audit Manager\n                   Michael Horton, Information Technology Officer\n\n                   Office of Counsel\n\n                   Jennifer Ashworth, Assistant Counsel to the Inspector General\n\n\n\n\n                                        6\n\n\x0cAppendix B\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Acting Deputy Secretary\n                      Chief of Staff for Operations\n                      Chief of Staff for Policy\n                      Acting General Counsel\n                      Executive Secretary\n                      Under Secretary, Management\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Public Affairs\n                      Assistant Secretary for Legislative Affairs\n                      Chief Information Officer\n                      Chief Information Security Officer\n                      DHS Audit Liaison\n                      CBP Commissioner\n                      CBP Audit Liaison\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                                            7\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'